vidar | 5acfa6fa8892b4a6fd659c5e05cd5c80a1e51c4b80c11e9fa0ba477f2e6137d9

General

Target

9eaae8e37d67a66203912ee78be8c3bd.exe
Size

617KB
MD5

9eaae8e37d67a66203912ee78be8c3bd
SHA1

dd0975d6b7a28cf0730495d6873e220d4064081e
SHA256

5acfa6fa8892b4a6fd659c5e05cd5c80a1e51c4b80c11e9fa0ba477f2e6137d9
SHA512

7342dbe3474338c6ad8b6b188825e89c0ecafe29d4333d77d796ea1c77c79ac94a30abbba539a8a98943498bc142b24f51dead25e5271b7c0e138f335388c870
SSDEEP

12288:V5VqlAqsvyBT04oKO1ua1Ua/KQOK5+NfYdQNUfs4jEwd7JBujxId+2LU:V5vvU6VqK8Qd1sOBdjujxxs

Score

10^/10

vidar 237 discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

8

Botnet

237

C2

http://hospitaleco.com/

Attributes

profile_id
237

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2404-2-0x0000000000400000-0x000000000068B000-memory.dmp	family_vidar
behavioral1/memory/2404-56-0x0000000000400000-0x000000000068B000-memory.dmp	family_vidar
behavioral1/memory/2404-84-0x0000000000400000-0x000000000068B000-memory.dmp	family_vidar

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1136 cmd.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1136	cmd.exe

flow	ioc
15	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9eaae8e37d67a66203912ee78be8c3bd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9eaae8e37d67a66203912ee78be8c3bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9eaae8e37d67a66203912ee78be8c3bd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1472 taskkill.exe

pid	process
1472	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9eaae8e37d67a66203912ee78be8c3bd.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9eaae8e37d67a66203912ee78be8c3bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	9eaae8e37d67a66203912ee78be8c3bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9eaae8e37d67a66203912ee78be8c3bd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9eaae8e37d67a66203912ee78be8c3bd.exe

pid	process
2404	9eaae8e37d67a66203912ee78be8c3bd.exe
2404	9eaae8e37d67a66203912ee78be8c3bd.exe
2404	9eaae8e37d67a66203912ee78be8c3bd.exe
2404	9eaae8e37d67a66203912ee78be8c3bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1472 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1472	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9eaae8e37d67a66203912ee78be8c3bd.execmd.exe

description	pid	process	target process
PID 2404 wrote to memory of 1136	2404	9eaae8e37d67a66203912ee78be8c3bd.exe	cmd.exe
PID 2404 wrote to memory of 1136	2404	9eaae8e37d67a66203912ee78be8c3bd.exe	cmd.exe
PID 2404 wrote to memory of 1136	2404	9eaae8e37d67a66203912ee78be8c3bd.exe	cmd.exe
PID 2404 wrote to memory of 1136	2404	9eaae8e37d67a66203912ee78be8c3bd.exe	cmd.exe
PID 1136 wrote to memory of 1472	1136	cmd.exe	taskkill.exe
PID 1136 wrote to memory of 1472	1136	cmd.exe	taskkill.exe
PID 1136 wrote to memory of 1472	1136	cmd.exe	taskkill.exe
PID 1136 wrote to memory of 1472	1136	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe
"C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nss3.dll
Filesize
5KB

MD5
7da374e3b5cee2c3ca41229c8d8af094

SHA1
bd115852e581d2686108979a65550014b17bbd6e

SHA256
d0cbf163d2c35044519398c143ef51fc0fe96a7ca5da16eb6e00db5a169e3dce

SHA512
08e3b4a09834d1f8de7eaed0839d87a38fb6a9d4d2a3150af71cd46a8e566fc1d3887725295a36b275a6b1e99336f5e060212e9ab05fe3ee0b1ddb55c7468061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5DBC.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DED.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2404-1-0x0000000001F70000-0x0000000002070000-memory.dmp

Filesize
1024KB

Download
memory/2404-2-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2404-56-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2404-60-0x0000000001F70000-0x0000000002070000-memory.dmp

Filesize
1024KB

Download
memory/2404-84-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2404-85-0x0000000001F70000-0x0000000002070000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads